From 9095f233c0258e9a05e958c7d822eb38681e7a5a Mon Sep 17 00:00:00 2001 From: "feng.zhou" Date: Mon, 2 Feb 2026 17:41:40 +0800 Subject: [PATCH 1/8] printk: Fix _DESCS_COUNT type for 64-bit systems The _DESCS_COUNT macro currently uses 1U (32-bit unsigned) instead of 1UL (unsigned long), which breaks the intended overflow testing design on 64-bit systems. Problem Analysis: ---------------- The printk_ringbuffer uses a deliberate design choice to initialize descriptor IDs near the maximum 62-bit value to trigger overflow early in the system's lifetime. This is documented in printk_ringbuffer.h: "initial values are chosen that map to the correct initial array indexes, but will result in overflows soon." The DESC0_ID macro calculates: DESC0_ID(ct_bits) = DESC_ID(-(_DESCS_COUNT(ct_bits) + 1)) On 64-bit systems with typical configuration (descbits=16): - Current buggy behavior: DESC0_ID = 0xfffeffff - Expected behavior: DESC0_ID = 0x3ffffffffffeffff The buggy version only uses 32 bits, which means: 1. The initial ID is nowhere near 2^62 2. It would take ~140 trillion wraps to trigger 62-bit overflow 3. The overflow handling code is never tested in practice Root Cause: ---------- The issue is in this line: #define _DESCS_COUNT(ct_bits) (1U << (ct_bits)) When _DESCS_COUNT(16) is calculated: 1U << 16 = 0x10000 (32-bit value) -(0x10000 + 1) = -0x10001 = 0xFFFEFFFF (32-bit two's complement) On 64-bit systems, this 32-bit value doesn't get extended to create the intended 62-bit ID near the maximum value. Impact: ------ While index calculations still work correctly in the short term, this bug has several implications: 1. Violates the design intention documented in the code 2. Overflow handling code paths remain untested 3. ABA detection code doesn't get exercised under overflow conditions 4. In extreme long-term running scenarios (though unlikely), could potentially cause issues when ID actually reaches 2^62 Verification: ------------ Tested on ARM64 system with CONFIG_LOG_BUF_SHIFT=20 (descbits=15): - Before fix: DESC0_ID(16) = 0xfffeffff - After fix: DESC0_ID(16) = 0x3fffffffffff7fff The fix aligns _DESCS_COUNT with _DATA_SIZE, which already correctly uses 1UL: #define _DATA_SIZE(sz_bits) (1UL << (sz_bits)) Signed-off-by: feng.zhou Reviewed-by: Petr Mladek Tested-by: Petr Mladek Link: https://patch.msgid.link/20260202094140.9518-1-realsummitzhou@gmail.com Signed-off-by: Petr Mladek --- kernel/printk/printk_ringbuffer.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/printk/printk_ringbuffer.h b/kernel/printk/printk_ringbuffer.h index 4ef81349d9fb..4f4949700676 100644 --- a/kernel/printk/printk_ringbuffer.h +++ b/kernel/printk/printk_ringbuffer.h @@ -122,7 +122,7 @@ enum desc_state { }; #define _DATA_SIZE(sz_bits) (1UL << (sz_bits)) -#define _DESCS_COUNT(ct_bits) (1U << (ct_bits)) +#define _DESCS_COUNT(ct_bits) (1UL << (ct_bits)) #define DESC_SV_BITS BITS_PER_LONG #define DESC_FLAGS_SHIFT (DESC_SV_BITS - 2) #define DESC_FLAGS_MASK (3UL << DESC_FLAGS_SHIFT) From f4cf0992be37e6a8bc6cf9108f2c9628a6188381 Mon Sep 17 00:00:00 2001 From: Shuvam Pandey Date: Tue, 17 Mar 2026 17:30:48 +0545 Subject: [PATCH 2/8] printf: add IPv6 address format tests printf_kunit already covers IPv4 address formatting, but the ip6() test case is empty even though printk-formats.rst documents %pI6, %pi6, %pI6c, and generic %pIS variants. Add focused IPv6 checks for raw and generic formatting, compressed output, the single-zero %pI6c corner case, and bracketed port formatting for sockaddr_in6. Signed-off-by: Shuvam Pandey Reviewed-by: Andy Shevchenko Reviewed-by: Petr Mladek Tested-by: Petr Mladek Link: https://patch.msgid.link/20260317114548.98919-1-shuvampandey1@gmail.com [pmladek@suse.com: Removed non-necessary details from the commit message.] Signed-off-by: Petr Mladek --- lib/tests/printf_kunit.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/lib/tests/printf_kunit.c b/lib/tests/printf_kunit.c index f6f21b445ece..bb70b9cddadd 100644 --- a/lib/tests/printf_kunit.c +++ b/lib/tests/printf_kunit.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -437,6 +438,27 @@ ip4(struct kunit *kunittest) static void ip6(struct kunit *kunittest) { + const struct in6_addr addr = { + .s6_addr = { 0x00, 0x01, 0x00, 0x02, 0x00, 0x03, 0x00, 0x04, + 0x00, 0x05, 0x00, 0x06, 0x00, 0x07, 0x00, 0x08 } + }; + const struct in6_addr single_zero = { + .s6_addr = { 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00, 0x04, + 0x00, 0x05, 0x00, 0x06, 0x00, 0x07, 0x00, 0x08 } + }; + struct sockaddr_in6 sa = { + .sin6_family = AF_INET6, + .sin6_port = cpu_to_be16(12345), + .sin6_addr = addr, + }; + + test("00010002000300040005000600070008|0001:0002:0003:0004:0005:0006:0007:0008", + "%pi6|%pI6", &addr, &addr); + test("00010002000300040005000600070008|0001:0002:0003:0004:0005:0006:0007:0008", + "%piS|%pIS", &sa, &sa); + test("1:2:3:4:5:6:7:8", "%pI6c", &addr); + test("1:0:3:4:5:6:7:8", "%pI6c", &single_zero); + test("[1:2:3:4:5:6:7:8]:12345", "%pISpc", &sa); } static void From 8e81ecbf1cb46b8d2d13e772d5924b09bd60169a Mon Sep 17 00:00:00 2001 From: John Ogness Date: Thu, 26 Mar 2026 14:44:01 +0106 Subject: [PATCH 3/8] printk_ringbuffer: Fix get_data() size sanity check Commit cc3bad11de6e ("printk_ringbuffer: Fix check of valid data size when blk_lpos overflows") added sanity checking to get_data() to avoid returning data of illegal sizes (too large or too small). It uses the helper function data_check_size() for the check. However, data_check_size() expects the size of the data, not the size of the data block. get_data() is providing the size of the data block. This means that if the data size (text_buf_size) is at or near the maximum legal size: sizeof(prb_data_block) + text_buf_size == DATA_SIZE(data_ring) / 2 data_check_size() will report failure because it adds sizeof(prb_data_block) to the provided size. The sanity check in get_data() is counting the data block header twice. The result is that the reader fails to read the legal record. Since get_data() subtracts the data block header size before returning, move the sanity check to after the subtraction. Luckily printk() is not vulnerable to this problem because truncate_msg() limits printk-messages to 1/4 of the ringbuffer. Indeed, by adjusting the printk_ringbuffer KUnit test, which does not use printk() and its truncate_msg() check, it is easy to see that the reader fails and the WARN_ON is triggered. Fixes: cc3bad11de6e ("printk_ringbuffer: Fix check of valid data size when blk_lpos overflows") Signed-off-by: John Ogness Reviewed-by: Petr Mladek Tested-by: Petr Mladek Link: https://patch.msgid.link/20260326133809.8045-1-john.ogness@linutronix.de Signed-off-by: Petr Mladek --- kernel/printk/printk_ringbuffer.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/printk/printk_ringbuffer.c b/kernel/printk/printk_ringbuffer.c index 56c8e3d031f4..a3526bdd4e10 100644 --- a/kernel/printk/printk_ringbuffer.c +++ b/kernel/printk/printk_ringbuffer.c @@ -1302,10 +1302,6 @@ static const char *get_data(struct prb_data_ring *data_ring, return NULL; } - /* Sanity check. Data-less blocks were handled earlier. */ - if (WARN_ON_ONCE(!data_check_size(data_ring, *data_size) || !*data_size)) - return NULL; - /* A valid data block will always be aligned to the ID size. */ if (WARN_ON_ONCE(blk_lpos->begin != ALIGN(blk_lpos->begin, sizeof(db->id))) || WARN_ON_ONCE(blk_lpos->next != ALIGN(blk_lpos->next, sizeof(db->id)))) { @@ -1319,6 +1315,10 @@ static const char *get_data(struct prb_data_ring *data_ring, /* Subtract block ID space from size to reflect data size. */ *data_size -= sizeof(db->id); + /* Sanity check the max size of the regular data block. */ + if (WARN_ON_ONCE(!data_check_size(data_ring, *data_size))) + return NULL; + return &db->data[0]; } From 407f666db2b12c71744e5c897a74284768450578 Mon Sep 17 00:00:00 2001 From: John Ogness Date: Thu, 26 Mar 2026 14:44:02 +0106 Subject: [PATCH 4/8] printk_ringbuffer: Add sanity check for 0-size data get_data() has a sanity check for regular data blocks to ensure at least space for the ID exists. But a regular block should also have at least 1 byte of data (otherwise it would be data-less instead of regular). Expand the get_data() block size sanity check to additionally expect at least 1 byte of data. Signed-off-by: John Ogness Reviewed-by: Petr Mladek Tested-by: Petr Mladek Link: https://patch.msgid.link/20260326133809.8045-2-john.ogness@linutronix.de Signed-off-by: Petr Mladek --- kernel/printk/printk_ringbuffer.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/kernel/printk/printk_ringbuffer.c b/kernel/printk/printk_ringbuffer.c index a3526bdd4e10..aa4b39e94cfa 100644 --- a/kernel/printk/printk_ringbuffer.c +++ b/kernel/printk/printk_ringbuffer.c @@ -1308,8 +1308,11 @@ static const char *get_data(struct prb_data_ring *data_ring, return NULL; } - /* A valid data block will always have at least an ID. */ - if (WARN_ON_ONCE(*data_size < sizeof(db->id))) + /* + * A regular data block will always have an ID and at least + * 1 byte of data. Data-less blocks were handled earlier. + */ + if (WARN_ON_ONCE(*data_size <= sizeof(db->id))) return NULL; /* Subtract block ID space from size to reflect data size. */ From bf56987c111372a54ae877934a42f7fb0953a6ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Gr=C3=A9goire?= Date: Fri, 27 Mar 2026 22:18:54 -0400 Subject: [PATCH 5/8] printk: ringbuffer: fix errors in comments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The printk ringbuffer implementation is described in the comment as using three ringbuffers, but the current implementation uses two (desc and data). Update the comment so it matches the code. Fix few more known issues in the comments. Signed-off-by: Loïc Grégoire Reviewed-by: John Ogness Link: https://patch.msgid.link/20260328021855.53956-1-loicgre@gmail.com [pmladek@suse.com: Fixed few more issues in the comments by John Ogness.] Signed-off-by: John Ogness Reviewed-by: Petr Mladek Signed-off-by: Petr Mladek --- kernel/printk/printk_ringbuffer.c | 12 ++++++------ kernel/printk/printk_ringbuffer.h | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/kernel/printk/printk_ringbuffer.c b/kernel/printk/printk_ringbuffer.c index aa4b39e94cfa..85c0c854b3ce 100644 --- a/kernel/printk/printk_ringbuffer.c +++ b/kernel/printk/printk_ringbuffer.c @@ -14,7 +14,7 @@ * * Data Structure * -------------- - * The printk_ringbuffer is made up of 3 internal ringbuffers: + * The printk_ringbuffer is made up of 2 internal ringbuffers: * * desc_ring * A ring of descriptors and their meta data (such as sequence number, @@ -224,7 +224,7 @@ * * prb_rec_init_rd(&r, &info, &text_buf[0], sizeof(text_buf)); * - * prb_for_each_record(0, &test_rb, &seq, &r) { + * prb_for_each_record(0, &test_rb, seq, &r) { * if (info.seq != seq) * pr_warn("lost %llu records\n", info.seq - seq); * @@ -1368,7 +1368,7 @@ static struct prb_desc *desc_reopen_last(struct prb_desc_ring *desc_ring, * * WMB from _prb_commit:A to _prb_commit:B * matching - * MB If desc_reopen_last:A to prb_reserve_in_last:A + * MB from desc_reopen_last:A to prb_reserve_in_last:A */ if (!atomic_long_try_cmpxchg(&d->state_var, &prev_state_val, DESC_SV(id, desc_reserved))) { /* LMM(desc_reopen_last:A) */ @@ -1773,9 +1773,9 @@ static void _prb_commit(struct prb_reserved_entry *e, unsigned long state_val) * * Relies on: * - * MB _prb_commit:B to prb_commit:A + * MB from _prb_commit:B to prb_commit:A * matching - * MB desc_reserve:D to desc_make_final:A + * MB from desc_reserve:D to desc_make_final:A */ if (!atomic_long_try_cmpxchg(&d->state_var, &prev_state_val, DESC_SV(e->id, state_val))) { /* LMM(_prb_commit:B) */ @@ -2038,7 +2038,7 @@ u64 prb_first_seq(struct printk_ringbuffer *rb) * * MB from desc_push_tail:B to desc_reserve:F * matching - * RMB prb_first_seq:B to prb_first_seq:A + * RMB from prb_first_seq:B to prb_first_seq:A */ smp_rmb(); /* LMM(prb_first_seq:C) */ } diff --git a/kernel/printk/printk_ringbuffer.h b/kernel/printk/printk_ringbuffer.h index 4f4949700676..4c6411b3582d 100644 --- a/kernel/printk/printk_ringbuffer.h +++ b/kernel/printk/printk_ringbuffer.h @@ -383,7 +383,7 @@ for ((s) = from; prb_read_valid(rb, s, r); (s) = (r)->info->seq + 1) * * This is a macro for conveniently iterating over a ringbuffer. * Note that @s may not be the sequence number of the record on each - * iteration. For the sequence number, @r->info->seq should be checked. + * iteration. For the sequence number, @i->seq should be checked. * * Context: Any context. */ From 36776b7f8a8955b4e75b5d490a75fee0c7a2a7ef Mon Sep 17 00:00:00 2001 From: Geert Uytterhoeven Date: Tue, 31 Mar 2026 17:21:43 +0200 Subject: [PATCH 6/8] lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() print_hex_dump_bytes() claims to be a simple wrapper around print_hex_dump(), but it actally calls print_hex_dump_debug(), which means no output is printed if (dynamic) DEBUG is disabled. Update the documentation to match the implementation. Fixes: 091cb0994edd20d6 ("lib/hexdump: make print_hex_dump_bytes() a nop on !DEBUG builds") Signed-off-by: Geert Uytterhoeven Reviewed-by: Petr Mladek Link: https://patch.msgid.link/3d5c3069fd9102ecaf81d044b750cd613eb72a08.1774970392.git.geert+renesas@glider.be Signed-off-by: Petr Mladek --- include/linux/printk.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/linux/printk.h b/include/linux/printk.h index 45c663124c9b..dc02e217a9d1 100644 --- a/include/linux/printk.h +++ b/include/linux/printk.h @@ -803,7 +803,8 @@ static inline void print_hex_dump_debug(const char *prefix_str, int prefix_type, #endif /** - * print_hex_dump_bytes - shorthand form of print_hex_dump() with default params + * print_hex_dump_bytes - shorthand form of print_hex_dump_debug() with default + * params * @prefix_str: string to prefix each line with; * caller supplies trailing spaces for alignment if desired * @prefix_type: controls whether prefix of an offset, address, or none @@ -811,7 +812,7 @@ static inline void print_hex_dump_debug(const char *prefix_str, int prefix_type, * @buf: data blob to dump * @len: number of bytes in the @buf * - * Calls print_hex_dump(), with log level of KERN_DEBUG, + * Calls print_hex_dump_debug(), with log level of KERN_DEBUG, * rowsize of 16, groupsize of 1, and ASCII output included. */ #define print_hex_dump_bytes(prefix_str, prefix_type, buf, len) \ From aea645c02f1acc36088618667e086b62d8f83e92 Mon Sep 17 00:00:00 2001 From: Thorsten Blum Date: Tue, 7 Apr 2026 20:18:36 +0200 Subject: [PATCH 7/8] lib/vsprintf: use bool for local decode variable The local variable 'decode' is only used as a boolean value - change its data type from int to bool accordingly. Signed-off-by: Thorsten Blum Reviewed-by: Petr Mladek Link: https://patch.msgid.link/20260407181835.1053072-2-thorsten.blum@linux.dev Signed-off-by: Petr Mladek --- lib/vsprintf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/vsprintf.c b/lib/vsprintf.c index a3790c43a0ab..2871ffd28103 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -1106,7 +1106,7 @@ char *resource_string(char *buf, char *end, struct resource *res, 2*RSRC_BUF_SIZE + FLAG_BUF_SIZE + RAW_BUF_SIZE)]; char *p = sym, *pend = sym + sizeof(sym); - int decode = (fmt[0] == 'R') ? 1 : 0; + bool decode = fmt[0] == 'R'; const struct printf_spec *specp; if (check_pointer(&buf, end, res, spec)) @@ -1131,7 +1131,7 @@ char *resource_string(char *buf, char *end, struct resource *res, } else { p = string_nocheck(p, pend, "??? ", str_spec); specp = &mem_spec; - decode = 0; + decode = false; } if (decode && res->flags & IORESOURCE_UNSET) { p = string_nocheck(p, pend, "size ", str_spec); From 8901ac9d2c7eb8ed7ae5e749bf13ecb3b6062488 Mon Sep 17 00:00:00 2001 From: Petr Mladek Date: Tue, 14 Apr 2026 17:41:24 +0200 Subject: [PATCH 8/8] printf: Compile the kunit test with DISABLE_BRANCH_PROFILING DISABLE_BRANCH_PROFILING GCC < 12.1 can miscompile printf_kunit's errptr() test when branch profiling is enabled. BUILD_BUG_ON(IS_ERR(PTR)) is a constant false expression, but CONFIG_TRACE_BRANCH_PROFILING and CONFIG_PROFILE_ALL_BRANCHES make the IS_ERR() path side-effectful. GCC's IPA splitter can then outline the cold assert arm into errptr.part.* and leave that clone with an unconditional __compiletime_assert_*() call, causing a false build failure. This started showing up after test_hashed() became a macro and moved its local buffer into errptr(), which changed GCC's inlining and splitting decisions enough to expose the compiler bug. Workaround the problem by disabling the branch profiling for printf_kunit.o. It is a straightforward and acceptable solution. The workaround can be removed once the minimum GCC includes commit 76fe49423047 ("Fix tree-optimization/101941: IPA splitting out function with error attribute"), which first shipped in GCC 12.1. Fixes: 9bfa52dac27a ("printf: convert test_hashed into macro") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202604030636.NqjaJvYp-lkp@intel.com/ Cc: stable@vger.kernel.org Acked-by: Tamir Duberstein Link: https://patch.msgid.link/ad5gJAX9f6dSQluz@pathway.suse.cz Signed-off-by: Petr Mladek --- lib/tests/Makefile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/tests/Makefile b/lib/tests/Makefile index 05f74edbc62b..7e9c2fa52e35 100644 --- a/lib/tests/Makefile +++ b/lib/tests/Makefile @@ -40,6 +40,8 @@ obj-$(CONFIG_MEMCPY_KUNIT_TEST) += memcpy_kunit.o obj-$(CONFIG_MIN_HEAP_KUNIT_TEST) += min_heap_kunit.o CFLAGS_overflow_kunit.o = $(call cc-disable-warning, tautological-constant-out-of-range-compare) obj-$(CONFIG_OVERFLOW_KUNIT_TEST) += overflow_kunit.o +# GCC < 12.1 can miscompile errptr() test when branch profiling is enabled. +CFLAGS_printf_kunit.o += -DDISABLE_BRANCH_PROFILING obj-$(CONFIG_PRINTF_KUNIT_TEST) += printf_kunit.o obj-$(CONFIG_RANDSTRUCT_KUNIT_TEST) += randstruct_kunit.o obj-$(CONFIG_SCANF_KUNIT_TEST) += scanf_kunit.o